[cryptography] the spell is broken

Alan Braggins alan.braggins at gmail.com
Sat Oct 5 05:56:57 EDT 2013

On 04/10/13 22:58, Jeffrey Goldberg wrote:
> On 2013-10-04, at 4:24 AM, Alan Braggins <alan.braggins at gmail.com> wrote:
>> Surely that's precisely because they (and SSL/TLS generally) _don't_
>> have a One True Suite, they have a "pick a suite, any suite" approach?
> And for those of us having to choose between preferring BEAST and RC4
> for our webservers, it doesn’t look like we are really seeing the expected
> benefits of “negotiate a suite”.  I’m not trying to use this to condemn the
> approach; it’s a single example. But it’s a BIG single example.

Well yes, for most browsers and servers it's "pick a suite - sorry, we 
haven't added AES-GCM yet, you have a choice of one flawed stream cipher 
or a load of block ciphers all in flawed MAC-then-Encrypt mode".

I wasn't suggesting that this choice is a huge benefit over picking One 
True Suite, just commenting on how Firefox comes to pick Camellia.

(The supposed agility does mean that when people get round to
implementing TLS 1.2 and AES-GCM, or if Salsa20 gets added, it can be
used without having to define a new One True Suite. But that only helps
if new suites actually get adopted before attacks are found on all the
old ones. And if an attacker can't easily force a downgrade to SSL3.0
without the user being warned....)

More information about the cryptography mailing list